[Owasp-turkey] Fwd: Split Handshake Attack

Musa Ulker musaulker at gmail.com
Wed Jun 2 17:02:32 EDT 2010


Bu atak konusunda bilginiz var mı arkadaşlar? İlginç geldi..

--------
This is awesome.  The usual handshake is SYN, SYN/ACK, ACK, like this:

Client     SYN -->           Server
Client     <-- SYN/ACK   Server
Client     ACK -->           Server

However, there are permitted variations on this handshake, such as
this one in which both parties open a session simultaneously:

Client     SYN -->           Server
Client     <-- ACK           Server
Client     <-- SYN           Server
Client     ACK -->           Server

That's legal according to the RFCs, but when you do it on real modern
operating systems, it comes out like this:

Client     SYN -->           Server
Client     <-- ACK           Server
Client     <-- SYN           Server
Client     SYN/ACK -->   Server
Client     <-- ACK           Server

In practice, this really opens a session so data can flow.  But it
confuses IDS systems so much that they let attacks go right through--
they don't know what's going on.  Snort, TippingPoint 2400, and
Juniper SRX 5800 all failed to detect attacks sent after that
handshake.

More info here: http://bit.ly/9tUfb9

-- 
M.Musa Ülker


More information about the Owasp-turkey mailing list